Number:IRCNE2014042162
Date: 2014-04-15

According to “computerworld”,Enterprise IT vendors are rushing to protect users from the Heartbleed bug, which has been found in some servers and networking gear and could allow attackers to steal critical data -- including passwords and encryption keys -- from the memories of exposed systems.
Hewlett-Packard, Dell and IBM have set up pages that identify hardware and software products affected by Heartbleed, which exposes a critical defect in certain versions of OpenSSL, a software library for secure communication over the Internet and networks.
The bug, which was detailed last week, has already been patched in a new version of OpenSSL, but hardware companies are now racing to patch products relying on older versions. Firmware and software patches have been issued for HP's BladeSystems and IBM's AIX servers and also Dell's appliances and networking equipment. In advisories, the server makers have advised customers to investigate hypervisors, OSes and middleware for possible vulnerabilities.
Some HP servers use OpenSSL for encryption and secure communication, and the company is conducting an "aggressive and comprehensive review of all actively supported products" for exposure to the Heartbleed bug, an HP support page said. The security updates are available for free to all customers, an HP spokesman said in an email on Monday.
HP on Sunday issued patches for some versions of server management tools BladeSystem c-Class Onboard Administrator, Smart Update Manager and the System Management Homepage running OpenSSL on Linux and Windows.
Dell's PowerEdge servers and OpenManage system management products are not likely affected by Heartbleed. But in a comprehensive Heartbleed advisory, Dell identified system management, security appliances and networking equipment affected by the bug.
Dell is working on patches for the Kace K3000 mobile-device management appliance, some Foglight network appliances and networking equipment running on Dell's Networking Operating System (FTOS). The company has already issued firmware patches for affected SonicWall security appliances, and the advisory page on Dell's website will be updated when fixes for more products are released.
IBM has found the Heartbleed bug affecting AIX servers, which use OpenSSL to implement communication across clusters via the TLS (Transport Security Layer) protocol. OpenSSL also enables SSL (Secure Sockets Layer) for secure communication over the Internet.
IBM has issued an OpenSSL patch for servers that shipped with AIX 6.1 OS with the TL9 protocol and AIX 7.1 with the TL3 protocol. IBM is also recommending upgrading to the new OpenSSL version on GPFS (General Parallel File System) versions 3.4 and V3.5 for AIX and Linux for Power and x86 servers. Software including WebSphere MQ, Sametime Community Server version 9 HF1 and Cloudant are affected by the Heartland bug.

Number:IRCNE2014042161
Date: 2014-04-15

According to “computerworld”,Canada's tax authority and a popular British parenting website both lost user data after attackers exploited the Heartbleed SSL vulnerability, they said Monday.
The admissions are thought to be the first from websites that confirm data loss as a result of Heartbleed, which was first publicized last Tuesday. The flaw existed in Open SSL, a cryptographic library used by thousands of websites to enable encryption, and was quickly labeled one of the most serious security vulnerabilities in years.
The Canada Revenue Agency (CRA) blocked public access to its online services last Tuesday in reaction to the announcement, but that wasn't fast enough to stop attackers from stealing information, it said on its website.
"Regrettably, the CRA has been notified by the Government of Canada's lead security agencies of a malicious breach of taxpayer data that occurred over a six-hour period. Based on our analysis to date, Social Insurance Numbers of approximately 900 taxpayers were removed from CRA systems by someone exploiting the Heartbleed vulnerability."
Mumsnet, a British parenting website with more than a million registered users, said over the weekend that it was forcing all users to change their passwords as a result of a Heartbleed attack.
"We are very sorry for all the fuss," the site said. "We want to assure you that we followed all the published steps to protect members' security as soon as we became aware of the Heartbleed security risk, but it seems that the breach occurred prior to that risk becoming known."

Number:IRCNE2014042160
Date: 2014-04-15

According to “computerworld”, four researchers working separately have demonstrated a server's private encryption key can be obtained using the Heartbleed bug.
The findings come shortly after a challenge created by CloudFlare, a San Francisco-based company that runs a security and redundancy service for website operators.
CloudFlare asked the security community if the flaw in the OpenSSL cryptographic library, made public last week, could be used to obtain the private key used to create an encrypted channel between users and websites, known as SSL/TLS (Secure Sockets Layer/Transport Security Layer).
The private key is part of a security certificate that verifies a client computer isn't connecting with a fake website purporting to be a legitimate one. Browsers indicate a secure connection with a padlock and show a warning if the certificate is invalid.
Security experts thought it might be possible that the private key could be divulged by exploiting the Heartbleed flaw, which may have affected two-thirds of the Internet and set off a mad scramble to apply a patch that fixes it.
"This result reminds us not to underestimate the power of the crowd and emphasizes the danger posed by this vulnerability," wrote Nick Sullivan of CloudFlare on the company's blog.
By obtaining the private key for an SSL/TLS certificate, an attacker could set up a fake website that passes the security verification. They could also decrypt traffic passing between a client and a server, known as a man-in-the-middle attack.
Researchers are still trying to figure out the conditions under which what specific data is revealed. OpenSSL, an open source program, is used in a wide variety of operating systems, mobile applications, routers and other networking equipment.
How the researchers each accomplished obtaining the private key hasn't been revealed.

Number:IRCNE2014042159
Date: 2014-04-16

According to “zdnet”,BlackBerry plans to release a set of updates to plug the security holes left by the OpenSSL flaw Heartbleed.
Heartbleed is a security flaw which was discovered by researchers this month. The vulnerability is found in OpenSSL software used to keep data secure across a variety of services, including across messaging services, content sharing, online shopping and banking.
Through the flaw, hackers can theoretically communicate with a server, steal large amounts of data, and vanish without a trace.
A number of companies have issued patches to stem the problem, including Google, Facebook, YouTubeand Yahoo. According to Reuters, BlackBerry is now next on the list, with BlackBerry senior vice president Scott Totzke said the firm will need to update two popular BlackBerry products, Secure Work Space corporate email and BBM messaging program for Android and iOS.
Totzke says that the majority of BlackBerry services do not use OpenSSL and therefore are impervious to Heartbleed, but Secure Work Space and BBM messaging may be vulnerable if cybercriminals gain access to these apps through Wi-Fi or carrier networks.
Totzke says, believes it is safe to continue using these services until patches are released.

شماره: IRCNE2014042158
تاريخ:23 /01/93

نه تنها سرورها بلكه برنامه هاي كاربردي سمت كلاينت نيز به خصوص آن هايي كه بر روي اندرويد 4.1.x در حال اجرا هستند، نسبت به رخنه Heartbleed آسيب پذير مي باشند.
روز گذشته شركت گوگل تاييد كرد كه سيستم عامل اندرويد نسخه 4.1.1 Jelly Bean تحت تاثير اين رخنه قرار دارد و اين شركت اصلاحيه اي را براي برطرف شدن اين رخنه توزيع كرد.
مشخص نيست كه چه تعداد دستگاه اندرويد داراي نسخه 4.1.1 مي باشند اما با توجه به داشبورد توزيع اندرويد گوگل، 35 درصد از دستگاه هاي اندرويد داراي نسخه 4.1.x هستند به عبارت ديگر در حال حاضر بيش از يك سوم از دستگاه هاي اندرويد در حال اجراي نسخه 4.1.x مي باشند.
در حال حاضر مجرمان سايبري در حال سوء استفاده از رخنه Heartbleed مي باشند. اين رخنه بازتاب جهاني گسترده اي داشته است. مجرمان سايبري دريافتند كه اين رخنه بيشتر از آن كه يك مشكل جذاب باشد، يك موضوع جذاب براي جريانات رسانه اي است. بنابراين در آينده اي نزديك شاهد انتشار پيام هاي هرزنامه اي درباره رخنه Heartbleed خواهيم بود كه به عنوان مكانيزمي براي توزيع ساير كدهاي خرابكار و بدافزارها مورد استفاده قرار مي گيرد.

شماره: IRCNE2014042157
تاريخ:23 /01/93

كاربران iOS و OS X مي توانند نفس راحتي بكشند زيرا دستگاه هاي آن ها تحت تاثير رخنه امنيتي OpenSSL Heartbleed قرار ندارند اما اگر براي پيام هاي خصوصي بر روي iOSاز BBM استفاده مي كنند، بايد در حال حاضر استفاده از آن را متوقف نمايند.
شركت اپل اعلام كرد محصولات اين شركت تحت تاثير آسيب پذيري موجود در OpenSSL قرار ندارد. اين شركت از كتابخانه متفاوت SSL/TLS با نام SecureTransport استفاده مي كند كه در ماه فوريه تحت تاثير يك مشكل جدي قرار گرفت اما به خطرناكي رخنه Heartbleed نبود.
شركت بلك بري تاييد كرد كه چندين محصول آن از جمله BBM براي iOS و اندرويد تحت تاثير آُسيب پذيري Heartbleed قرار دارند. BBM در سراسر جهان حدود 80 ميليون كاربر دارد.
ساير محصولات آسيب پذير بلك بري شامل Secure Work Space براي iOS و اندرويد و BlackBerry Link براي ويندوز و سيستم عامل مكينتاش مي باشند.
در حال حاضر اين شركت اصلاحيه اي براي محصولات آسيب پذير خود منتشر نكرده است و بدتر از آن هيچ راه حلي براي مقابله با آسيب پذيري در BBM يا Secure Work Spaces اعلام نكرده است.
محصولات اصلي بلك بري مانند گوشي هاي هوشمند بلك بري، BlackBerry Enterprise Server 5 و BlackBerry Enterprise Service 10 تحت تاثير اين آسيب پذيري قرار ندارند.
آمازون تاييد كرده است كه نسبت به اين رخنه، آسيب پذير است و افرادي كه از ELB، EC2 ، OpsWorks، Elastic Beanstalk و CloudFront استفاده مي كنند، تحت تاثير تهديد ناشي از اين رخنه قرار مي گيرند.
روز پنج شنبه موزيلا اعلام كرد كه پروژه تاييد هويت اين شركت، Persona و Firefox Account تحت تاثير آسيب پذيري Heartbleed قرار دارد. سرورهاي آن ها در AWS اجرا مي شود در حالي كه ارتباطات رمزگذاري شده TLS به AWS ELB كه از OpenSSL استفاده مي كنند منتهي مي شود.

شماره: IRCNE2014042155
تاريخ:23 /01/93

برخي از محصولات سيسكو و Juniper تحت تاثير رخنه Heartbleed قرار دارند. شركت سيسكو در راهنمايي امنيتي كه روز چهارشنبه منتشر كرد فهرست طولاني از محصولات خود را منتشر كرد كه در برخي از آن ها آسيب پذيري تاييد شده بود و برخي ديگر از آن ها به منظور يافتن آسيب پذير بودن تحت بررسي مي باشند.در ميان 16 محصولي كه آسيب پذير بودن آن ها تاييد شده است محصولات Unified Communication Manager (UCM) 10.0، Cisco MS200X Ethernet Access Switch و چندين محصول Unified IP Phones قرار دارد. در راهنمايي امنيتي 1.2 فهرست 65 محصول قرار دارد كه تحت بررسي مي باشند.
دو محصول Cisco Registered Envelope Service (CRES) و Cisco Webex Messenger Service نيز نسبت به رخنه Heartbleed آسيب پذير بودند كه در حال حاضر اين محصولات اصلاح شده اند. در راهنمايي امنيتي شركت سيسكو آمده است كه تاكنون هيچ يك از خدمات ميزباني شده سيسكو كه مورد بررسي قرار گرفته اند، تحت تاثير اين آسيب پذيري قرار ندارند. عدم آسيب پذيري 62 محصول ديگر از جمله بسياري از مسيرياب ها و سيستم عامل IOSخود سيسكو تاييد شده است.
Juniper نيز اطلاعيه اي بسيار مهم در صفحه اول وب سايت امنيتي خود منتشر كرد. در اين اطلاعيه توضيحاتي در خصوص رخنه Heartbleed آورده است اما اطلاعاتي را در خصوص آسيب پذير بودن محصولات خود ذكر نكرده است.
سخنگوي Juniper اعلام كرد كه زيرمجموعه اي از محصولات Juniper از جمله نسخه هاي خاص از نرم افزار SSL VPN آن تحت تاثير آسيب پذيري Heartbleed قرار دارند. اين شركت روز پنج شنبه يك به روز رساني براي محصول SSl VPN منتشر كرده است و براي ديگر محصولات آسيب پذير خود نيز اصلاحيه اي منتشر خواهد كرد. ما به مشتريان خود توصيه مي كنيم تا براي گرفتن اطلاعات بيشتر و به روز رساني محصولات با واحد پشتيباني مشتريان Juniper تماس بگيرند.

شماره: IRCNE2014042156
تاريخ:23 /01/93

روز پنج شنبه شركت امنيتي ترند ميكرو در پستي در وبلاگ خود اعلام كرد كه برنامه هاي كاربردي تلفن همراه اندرويد و IOS تحت تاثير آسيب پذيري Heartbleed قرار دارند.
اين شركت اعلام كرد كه به دليل وجود تهديدات امنيتي، مشتريان بايد تا زمان برطرف شدن كامل اين آسيب پذيري از خريد برنامه هاي كاربردي از طريق دستگاه هاي تلفن همراه خود اجتناب كنند.
با توجه به يافته هاي شركت ترند ميكرو، بررسي حدود 390000 برنامه كاربردي Google Play نشان داد كه حدود 1300 برنامه به سرورهاي آسيب پذير به رخنه Heartbleed متصل مي شوند. در ميان اين برنامه ها، بيش از 12 برنامه بانكداري آنلاين، 40 برنامه پرداخت آنلاين و 10 برنامه خريد آنلاين نيز قرار دارد. هم چنين چندين برنامه كاربردي محبوب نيز آسيب پذير مي باشند زيرا به سرورهاي آسيب پذير متصل مي باشند.
برنامه هاي كاربردي تلفن همراه نيز مانند وب سايت ها ممكن است نسبت به رخنه آسيب پذير باشند زيرا اين احتمال وجود دارد كه اين برنامه ها به سرورهاي آسيب پذير متصل شوند.
هم چنين اين شركت تعدادي برنامه كاربردي محبوب مانند برنامه پيام رساني فوري، برنامه مراقبت هاي بهداشتي، برنامه ورودي كيبورد و حتي برنامه هاي پرداخت تلفن همراه را معرفي كرد كه به طور روزانه توسط كاربران استفاده مي شوند و از اطلاعات مالي و شخصي حساس استفاده مي كنند.
JD Sherry، معاون شركت امنيتي ترند ميكرو اظهار داشت كه اين شركت بررسي هاي لازم را بر روي برنامه هاي كاربردي فروشگاه اپل انجام نداده است. اما شكي نيست كه برخي از اين برنامه ها نيز در معرض خطر قرار داشته باشند.
حتي برنامه هاي كاربردي كه از فروشگاه گوگل خريداري نشده اند اگر به صورت آنلاين به يك سرور متصل شوند، نيز ممكن است در معرض تهديد اين آسيب پذير قرار داشته باشند. به عنوان مثال، ممكن است برخي از برنامه ها از شما بخواهند تا آن ها را در يك شبكه اجتماعي ‘like’ كنيد يا براي دريافت پاداشت آن ها را “follow” كنيد در نتيجه كاربر براي انجام اين امور به يك سرور آسيب پذير متصل مي شود.

Number:IRCNE2014042158
Date: 2014-04-12

According to “zdnet”, client-side applications can be vulnerable too, not just servers — particularly those running on Android 4.1.x.
Google yesterday confirmed Android 4.1.1, Jelly Bean, was affected by the flaw and it was developing a patch and distributing it to Android partners.
It's not clear how many Android 4.1.1 devices exist but according to Google's Android distribution dashboard 4.1.x accounts for about 35 percent of all Android devices.More than one-third of operational Android devices are still running version 4.1.x, Williams said.
Unlike most Linux distributions, which the researchers praised for issuing OpenSSL patches promptly, they were scathing of Android for the availability of patches being "a little bit less than desired", as Williams put it.
Lyne warned that criminals are starting to take advantage of Heartbleed's high media profile.
"Through today, the cyber criminals really wised up to the fact that this was an interesting topic for the mainstream media, beyond being an interesting bug. So we've started seeing lots of spam messages about Heartbleed being used as a mechanism to distribute other malicious code and scams." he said.

Number:IRCNE2014042157
Date: 2014-04-12

According to “zdnet”, iOS and OS X users can breathe a sigh of relief with the knowledge that their devices are not affected by the catastrophic OpenSSL Heartbleed security flaw — but if they're using BBM for really private messages on iOS they might want to stop right now.
"Apple takes security very seriously. IOS and OS X never incorporated the vulnerable software and key web-based services were not affected," Apple told Re/code.
Apple uses different SSL/TLS libraries called SecureTransport, which was hit by its own very serious bug in February — though it wasn't quite as dangerous as Heartbleed.
BlackBerry has now confirmed that several of its products, including BBM for iOS and Android were affected by the Heartbleed. BBM has about 80 million users.
Other BlackBerry products affected include its rival to Samsung's Knox, Secure Work Space for iOS and Android, and BlackBerry Link for Windows and Mac OS.
BlackBerry doesn't have a patch for any of the products yet, but worse yet there are "no mitigations" for the vulnerability in BBM or Secure Work Spaces.
BlackBerry's core products including BlackBerry smartphones, BlackBerry Enterprise Server 5 and BlackBerry Enterprise Service 10 were not affected, it said.
However, cloud giant Amazon confirmed it was affected, which has had an impact on anyone that used ELB, EC2, OpsWorks, Elastic Beanstalk, and CloudFront.
Mozilla announced on Wednesday that its federated identity authentication project, Persona, and Firefox Account were affected by Heartbleed. Their servers ran in AWS while encrypted TLS connections terminated on AWS ELB using OpenSSL.